Sciweavers

IACR
2011

Terminating BKZ

12 years 11 months ago
Terminating BKZ
Strong lattice reduction is the key element for most attacks against lattice-based cryptosystems. Between the strongest but impractical HKZ reduction and the weak but fast LLL reduction, there have been several attempts to find efficient trade-offs. Among them, the BKZ algorithm introduced by Schnorr and Euchner [FCT’91] seems to achieve the best time/quality compromise in practice. However, no reasonable complexity upper bound is known for BKZ, and Gama and Nguyen [Eurocrypt’08] observed experimentally that its practical runtime seems to grow exponentially with the lattice dimension. In this work, we show that BKZ can be terminated long before its completion, while still providing bases of excellent quality. More precisely, we show that if given as inputs a basis (bi)i≤n ∈ Qn×n of a lattice L and a block-size β, and if terminated after Ω “ n3 β2 (log n + log log maxi bi ) ” calls to a β-dimensional HKZ-reduction (or SVP) subroutine, then BKZ returns a basis whose ...
Guillaume Hanrot, Xavier Pujol, Damien Stehl&eacut
Added 23 Dec 2011
Updated 23 Dec 2011
Type Journal
Year 2011
Where IACR
Authors Guillaume Hanrot, Xavier Pujol, Damien Stehlé
Comments (0)